diff options
Diffstat (limited to 'pkg/authz/local_check_service.go')
| -rw-r--r-- | pkg/authz/local_check_service.go | 152 |
1 files changed, 152 insertions, 0 deletions
diff --git a/pkg/authz/local_check_service.go b/pkg/authz/local_check_service.go new file mode 100644 index 0000000..e165143 --- /dev/null +++ b/pkg/authz/local_check_service.go @@ -0,0 +1,152 @@ +package authz + +import ( + "context" + "net/http" + "strings" + + core "github.com/envoyproxy/go-control-plane/envoy/config/core/v3" + auth "github.com/envoyproxy/go-control-plane/envoy/service/auth/v3" + types "github.com/envoyproxy/go-control-plane/envoy/type/v3" + "github.com/xlgmokha/x/pkg/log" + "github.com/xlgmokha/x/pkg/x" + "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls" + status "google.golang.org/genproto/googleapis/rpc/status" + "google.golang.org/grpc/codes" +) + +var public map[string]bool = map[string]bool{ + "GET:/": true, + "GET:/application.js": true, + "GET:/callback": true, + "GET:/dashboard/nav": true, + "GET:/favicon.ico": true, + "GET:/favicon.png": true, + "GET:/health": true, + "GET:/htmx.js": true, + "GET:/index.html": true, + "GET:/logo.png": true, + "GET:/pico.min.css": true, + "GET:/signout": true, + "GET:/sparkle": true, + "GET:/sparkles": true, + "GET:/vue.global.js": true, + "POST:/sparkles/restore": true, +} + +type LocalCheckService struct { + auth.UnimplementedAuthorizationServer +} + +func NewLocalCheckService() auth.AuthorizationServer { + return &LocalCheckService{} +} + +func (svc *LocalCheckService) Check(ctx context.Context, request *auth.CheckRequest) (*auth.CheckResponse, error) { + if svc.isAllowed(ctx, request) { + return svc.OK(ctx), nil + } + return svc.Denied(ctx), nil +} + +func (svc *LocalCheckService) isPublic(ctx context.Context, r *auth.CheckRequest) bool { + ok, _ := public[svc.keyFor(r.Attributes.Request.Http)] + return ok +} + +func (svc *LocalCheckService) isAllowed(ctx context.Context, r *auth.CheckRequest) bool { + if !svc.validRequest(ctx, r) { + return false + } + + log.WithFields(ctx, svc.fieldsFor(r)) + return svc.isPublic(ctx, r) || svc.isLoggedIn(ctx, r) +} + +func (svc *LocalCheckService) validRequest(ctx context.Context, r *auth.CheckRequest) bool { + return x.IsPresent(r) && + x.IsPresent(r.Attributes) && + x.IsPresent(r.Attributes.Request) && + x.IsPresent(r.Attributes.Request.Http) +} + +// TODO:: Replace this naive implementation +func (svc *LocalCheckService) isLoggedIn(ctx context.Context, r *auth.CheckRequest) bool { + rawCookie := r.Attributes.Request.Http.Headers["cookie"] + if x.IsPresent(rawCookie) { + cookies, err := http.ParseCookie(rawCookie) + if err != nil { + pls.LogError(ctx, err) + return false + } + idTokenCookie := x.Find(cookies, func(cookie *http.Cookie) bool { + return cookie.Name == "id_token" + }) + if x.IsZero(idTokenCookie) { + return false + } + segments := strings.SplitN(idTokenCookie.Value, ".", 3) + if len(segments) != 3 { + return false + } + idToken, err := NewIDToken(idTokenCookie.Value) + if err != nil { + pls.LogError(ctx, err) + return false + } + if x.IsZero(idToken) { + return false + } + return true + } + return false +} + +func (svc *LocalCheckService) OK(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": true}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.OK), + }, + HttpResponse: &auth.CheckResponse_OkResponse{ + OkResponse: &auth.OkHttpResponse{ + Headers: []*core.HeaderValueOption{}, + HeadersToRemove: []string{}, + ResponseHeadersToAdd: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *LocalCheckService) Denied(ctx context.Context) *auth.CheckResponse { + log.WithFields(ctx, log.Fields{"authorized": false}) + return &auth.CheckResponse{ + Status: &status.Status{ + Code: int32(codes.PermissionDenied), + }, + HttpResponse: &auth.CheckResponse_DeniedResponse{ + DeniedResponse: &auth.DeniedHttpResponse{ + Status: &types.HttpStatus{ + Code: types.StatusCode_Unauthorized, + }, + Headers: []*core.HeaderValueOption{}, + }, + }, + } +} + +func (svc *LocalCheckService) fieldsFor(r *auth.CheckRequest) log.Fields { + return log.Fields{ + "host": r.Attributes.Request.Http.Host, + "id": r.Attributes.Request.Http.Id, + "method": r.Attributes.Request.Http.Method, + "path": r.Attributes.Request.Http.Path, + "protocol": r.Attributes.Request.Http.Protocol, + "request_id": r.Attributes.Request.Http.Headers["x-request-id"], + "scheme": r.Attributes.Request.Http.Scheme, + } +} + +func (svc *LocalCheckService) keyFor(r *auth.AttributeContext_HttpRequest) string { + return strings.Join([]string{r.Method, r.Path}, ":") +} |